This article is written by Sumedha Ganjoo and Arundhati Banerjee and pursuing a Technology law BootCamp. This article has been edited by Prashant (Associate, Lawsikho).
This article has been published by Sneha Mahawar.
The JPC on Personal Data Protection Bill, 2019 has been reported to both Houses of Parliament and approved by the JPC on December 16th, 2021. The Committee’s deliberation process is outstanding. With stakeholders from many walks of life, it ensured a diverse spectrum of opinions and ideas. The Committee’s final report offers 93 recommendations, indicating the Committee’s careful investigation of every aspect of the legislation in question. In order to provide the Indian people with a robust, effective, and comprehensive data protection law, some areas and specifics need further attention.
To that aim, this study compares the report’s suggested amendments to the prior Bill, evaluates their relevance, and provides concrete suggestions for the operationalization of a progressive and rights-enabling data protection system.
Data Protection Bill
Modification of Bill’s title as well as objects and reasons
The taxonomy of the Bill has changed from ‘Personal Data Protection Bill, 2019’ to ‘Data Protection Bill, 2021’. Amending the Bill to incorporate both personal and non-personal data. Many provisions, most notably Clause 2, which elaborates on Bill’s application, reflect the changes. The “Application of Act” was changed to the “Processing of personal and non-personal data”, which specifically includes both. The Committee defines “non-personal data.” But the concept doesn’t convey the intricacies of non-personal data. It simply means non-personal data is information that cannot be linked to an individual. The Committee has now suggested covering non-personal data breaches under the phrase “data breach.”
Deliberately excluding privacy from the standard of data protection law is a substantial departure from previous attempts. The long title of the Draft Data Protection Measure, 2021 places national security first. This is a significant change since the long title is used internally by the Court to interpret the Act.
The definitions of essential terms including consent management, non-personal data, and social media platforms have been updated, as has the concept of damages. While updating concept definitions is welcomed, several places need greater elaboration. The term “psychological damage” has to be defined and explained to remove any misunderstanding. The term fails to account for the multidimensional character of non-personal data.
Timeline for implementation
The JPC proposed a two-year phased implementation strategy that followed global best practices. It will give small firms time to comply, and larger corporations time to renegotiate global contracts and restructure their global supply networks. It will also allow the DPA to better cooperate with industry and other stakeholders, develop codes of conduct, and sign MoUs with other sectoral regulators to minimize regulatory disputes, which is a good thing. However, the Committee did not incorporate this idea in the draft bill given with the report.
Child definition and treatment in the framework
The framework’s definition of a “child” has not been altered, affecting their ability to consent online. Many say India must follow global best practices, which define a child as someone under the age of thirteen.
The Children’s Online Privacy Protection Act in the US and the General Data Protection Regulation in the EU both enforce the thirteen-year-old age limit. The Committee has chosen to keep the previous criteria for underage. This may impact parental consent compliance.
Obtaining broad parental clearance for their children’s online activities leads to excessive compliance, ranging from internal age verification systems to linking the child’s account or activity to the parents and authenticating the relationship. It’s unclear how this will be executed. In the best interests of children, the DPA may categorize data fiduciaries who manage children’s data as substantial data fiduciaries under Clause 26(1)(g).
Portability of data
To safeguard the data principal’s (citizens whose data has been acquired) rights, the Draft Data Protection Bill, 2021 is being proposed. All data custodians must now translate these rights.
A DPA permission is necessary for each data portability request; however, the JPC did not advise on how to execute data portability. Moreover, enforcing data portability places excessive demands on data custodians and exposes sensitive data. The DPA should investigate the validity of request denials while preserving a responsibility of confidentiality.
Provisions for non-consensual processing
Permission to handle personal data is required under the Draft Data Protection Bill 2021. This basic assumption is discussed in clauses 12-14. The JPC offered no substantive suggestions on how these consent exemptions should be supplied.
Concerning the State’s exemption from permission-based processing, Clause 12 retains the previous draft’s overbroad phrasing, which exempts the State from collecting consent to “perform State tasks.” Examples of instances covered in this area include: providing services to the data principle; issuing certificates; licensing; and implementing laws. The Committee now proposes to include court, tribunal, and even quasi-judicial orders under this Clause. To prevent collecting authorization for almost all gatherings or activities, this Clause’s phrasing is excessively broad. The fundamental goal of this framework is to establish a policy that supports a consent-based architecture for data and privacy protection.
The Bill’s Clause 13 concerns the processing of personal data for job reasons and suggests an exemption for consent for work-related activities. Given that companies cannot use employees’ personal data for employment purposes without their consent, the Committee advised that processing be restricted to “just that which is reasonably expected by the data principal.” This suggestion is crucial to avoid employers from abusing data, like sharing it with competitors. Businesses agree not to compete on salaries, benefits, or other work conditions.
To cut therapist remuneration and push other competitors to do the same, the Federal Trade Commission sued a company that provides therapist staffing services on July 31, 2018. Allowing companies to freely handle employment data, including sharing it with competitors, may harm competition in relevant labor markets. It’s therefore vital to ensure that employment data is treated “reasonably.” The committee’s approach may help maintain healthy competition in labor markets. During implementation, it is critical to add more specificity to the Clause to ensure an adequate level of employer accountability.
Clause 14, which allows for non-consensual processing, has also been changed. These regulations should be created using the criteria recommended by the Committee. The data fiduciary’s legitimate interest is now included. The sub-clause on mergers and acquisitions has also been expanded to include similar corporate combinations or restructurings.
Authority for data protection
Process of appointment and selection
The Act’s DPA is vital to the digital economy. The regulator’s independence and technical capabilities must be addressed, and more must be done to ensure the DPA can function independently. The Attorney General, the Directors of the Indian Institutes of Technology and Management, and an independent expert selected by the national government to the DPA Selection Committee are all good additions. However, the executive branch continues to dominate the selection process, with no participation from the judiciary or the legislature.
This may undermine the DPA’s independence, which is required for the Bill to be accepted by the EU, UK, and US for bilateral data transfer and access agreements.
This implies future agreements between India and other nations on appropriateness. The federal government may also remove DPA members, jeopardizing the authority’s independence.
The JPC missed the chance to debate the DPA’s organizational structure. To manage the regulator’s huge worklist, a tiered structure with zonal/state DPAs is required. With many duties and people, this is vital. This regulator may fine both the federal and state governments. In this situation, the DPA’s centralized structure must be reviewed to provide enough state representation. Institutionally regulators, like Consumer Protection Commissions, Human Rights Commissions, and Information Commissions created under the Right to Information Act, enable state participation. The DPA’s institutional design lacks a connection to India’s federal governmental system, which may affect its implementation.
The DPA’s power has also decreased, in terms of autonomy. JPC recommended limiting the DPA’s ability to authorize the transfer of sensitive personal data beyond India. The federal government’s prior approval must be consulted. Second, the JPC has proposed expanding the scope of the central government’s directives on DPA from solely policy concerns to other areas also. This may affect the DPA’s independence. Compared to the DPA, the annexed legislation gives the central government far more authority.
Possibilities of conflicting jurisdictions between other agencies and the DPA
DPA coordination with other regulatory bodies including the Competition Commission of India, Securities and Exchange Board of India, and the Reserve Bank of India may assist reduce regulatory burden and uncertainty for the digital ecosystem. JPC has offered no proposals. As a remedy, the Draft Data Protection Bill, 2021 requires the DPA to consult with the authority before taking any action, and the two agencies may even sign an MOU to coordinate their activities. But such discussions and memorandums of the agreement still need explanation.
The report emphasizes teamwork by including the DPA’s “economic activities.” Regulations specifying timelines and procedures for these consultations and memorandums of agreement may be added to this resolution. These norms may require an open process including a wide variety of parties, technology companies, governments, and civil society.
Protection of commercially sensitive information in the course of DPA investigations
Inquiries and investigations must protect commercially sensitive information. In the absence of a trade secret law, data fiduciaries must be adequately protected. Clause 49(3) of the Draft Data Protection Bill, 2021 specifies that the DPA shall not release sensitive information unless required by law or to accomplish its duties. The JPC was expected to instruct the DPA to create legislation preventing the creation of secrecy rings. But it hasn’t happened. Confidentiality legislation or the DPA’s general operating guidelines may focus on this problem in the future, producing a stable confidentiality regime.
Data flows across borders
Data localization is still sought to safeguard personal data, sovereign interests, and provide law enforcement access to data. Critical personal data remains unclear, and the resulting compliance ambiguity may harm the industry. Affected trade and commercial interests with the EU, US, and the UK may hinder the formation of data-transfer agreements/multilateral treaties. As per Bill’s provision, the Central Government must ensure that a mirror copy of sensitive personal data held by overseas corporations is transported to India in a timely way.
Moreover, cross-border data transfers are illegal if they contravene “public policy” or “state policy”. Undefined or ambiguous terminology may lead to implementation uncertainty. The DPA must consult with the federal government before considering contract or scheme amendments involving personal data. Notably, the 2019 Bill’s localization limits were less onerous than the Sri Krishna Committee. The JPC was also excluded from negotiations on global data flows. Tools exist to facilitate data transfers between countries that have enacted data protection regulations. Countries may utilize these tools to share data more easily while maintaining strong privacy standards agreed upon in a bilateral or multilateral agreement.
Data protection laws must be consistent with global ecosystems. Notably absent from the JPC’s recommendations is any discussion of how the Indian data security framework may embrace interoperability and align with global data protection ecosystems.
This does not ease industry and investor concerns about India as an investment place. Increased compliance and startup costs for SMEs and start-ups are also a major concern, as they may push out existing companies and serve as an entry barrier for new enterprises and start-ups.
Also, the technology industry has advanced in providing methods to protect sensitive data throughout the processing cycle, such as confidential computing. Confidential computing is a kind of cloud computing technology that ensures sensitive data is segregated during processing. This is only one of the several privacy-enhancing measures utilized throughout the data lifecycle, from collection to processing, to protect sensitive data. The Committee has ignored such technologies and their potential security concerns in favor of localization as a solution.
Regulation of hardware
A new sub-clause 49(2)(o) governs hardware manufacturers that collect data from digital devices. Concerns about data security must be addressed.
Targeted regulation of the digital ecosystem is necessary for a safe digital environment. Hardware manufacturers seek certification from the Bureau of Indian Standards, Ministry of Electronics and Information Technology, Telecommunication Engineering Center, and Wireless Planning and Coordination. The National Security Directive on Telecommunications also requires telecom service providers to link their networks with “trusted goods” from “trusted sources.” Adopting data protection legislation that requires the DPA to monitor, test, and certify hardware devices may result in regulatory overlap with other sectoral agencies.
As a consequence, appropriate criteria must be set, taking into consideration the following:
- Excellent technical and industrial advice;
- Ensuring global testing and compliance requirements to preserve data privacy and business convenience.
Exemptions from government
Clause 35 of the Bill, which exempts the State, remains intact. Because the government collects important data on all people, any exemption must be narrowly targeted. The term “just, fair, reasonable, and proportionate” is an excellent indication.
However, limiting the scope of such exclusions by defining certain instances would have reduced the probability of misuse. Despite the Puttaswamy verdict mandating the ‘necessary and proportional’ criteria, the Personal Data Protection Bill, 2018, and Justice BN Srikrishna’s report maintain the ‘test’ for civil rights restriction.
Civil liberties may be suspended in an “emergency” without proof that the suspension is “necessary” to the harm. In the Rangarajan case, the Supreme Court clearly barred ‘expediency’ as a criterion and enforced ‘necessity’.
For the State to utilize its Clause 35 exemption, the State must employ a procedure that is just, reasonable, and proportionate, which falls short of the Puttaswamy responsibility. The State need not prove “necessity” as required by the case to claim the exemption under article 35. To provide effective accountability and a check on state power, it is essential to define conditions or goals for such exclusions.
Inclusion of non-personally identifiable information
The JPC essentially controlled all data by including NPD in the Draft Data Protection Bill 2021. This has widened the regulatory perimeter, making it harder for regulators to rule efficiently, corporations to comply, and citizens to exercise their rights. Notably, in other nations with established data protection rules, personal data is treated separately from non-personal data.
While it has been suggested that non-personal data be included in the definition of a breach, the procedures for doing so remain unclear, causing unnecessary complexity. Also, the government must be able to access non-personal data for public policy purposes. Currently, it allows the government to obtain “any data from any data fiduciary,” which is broad.
This raises issues of implementation and compliance. Without a clear definition of personal and non-personal data, data classification becomes difficult in the backend. Even if the goal is compliance, a broad mandate without sufficient direction would make it impossible for global firms to comply. Also, adopting non-personal data requirements may be more challenging due to a lack of understanding and insight into how firms function. Prior to finalizing such a provision in Bill’s wording, significant stakeholder involvement may be prudent.
The Draft Data Protection Bill, 2021 aims to protect people’s data privacy, while the urge to regulate NPD stems from the desire to unleash data’s economic potential for individuals, businesses, and communities. Given these opposing goals, merging the regulation of both types of data would undermine the latter.
There is a lack of clarity on the planned regulation of NPD.
The JPC report makes minor changes to the Draft Data Protection Bill 2021, such as disclosing non-personal data breaches, while other areas of data protection remain personal. This shows a lack of clarity in the new bill on NPD regulation. NPD inclusion in Bill 2021 without consideration of its effect, application, and intent may create uncertainty and dispute.
Infringement of Intellectual Property Rights
The government hasn’t said how it would regulate anonymized data. Given that NPD may potentially include all information handled by a company, over-regulation may infringe on some parts of the company’s intellectual property rights.
The DPA’s regulation of NPD
The GDPR is largely recognized as an important privacy and data protection law. It mandates that data protection standards apply only to information related to an identified person. Thus, anonymized data may be maintained beyond Bill’s reach. To enforce the Data Protection Law, the DPA should set criteria for anonymization and punishments for de-anonymization.
Regulation of platforms and intermediary liability
Consider social media platforms to be publishers
The JPC study identifies social media intermediaries as publishers, although the Draft Data Protection Bill for 2021 does not. The study advises seeing digital platforms as publishers of the data they hold. This advice assumes that intermediaries regulate access to the content they host. Transparency and accountability in the platform’s actions are critical to successful regulation. This approach clashes with the Shreya Singhal decision’s recognized conceptions of intermediate duty.
The Bill emphasizes building a sound data security framework, not controlling social media corporations. The approach goes against recognized platform regulatory principles laid forth in the Information Technology Act and implementing Rules, the bedrock of social media regulation. The IT Act protects intermediaries from liability for user-generated content if they have no “actual knowledge” of its illegality.
Eliminating this safeguard may result in intermediaries self-censoring, affecting citizens’ right to online free speech.
Verification of the user
The recommendation supports mandatory social media account verification as a prerequisite for intermediate status resulting in an increase in the amount of personal data stored by social media corporations. There is a need to address online safety concerns, which have exploded in recent years due to bots and fake accounts. The recommendation’s catastrophic ramifications for users’ privacy and freedom of speech cannot be disregarded. Anonymity allows the free sharing of information and ideas online. Mandatory verification may also harm journalists, human rights activists, LGBTQ+ groups, and groups that employ anonymous social media identities.
A centralized regulating authority for both internet and print media
Establishing a single regulatory entity to control print and social media content is unfeasible. In order to preserve the integrity of published material, it is necessary to control the media space. Social media platforms serve as a channel for third-party user-generated material. Print media produces the content that these platforms host. Given their varied business models, it is vital that both organizations be governed in ways that meet the specific needs of their respective industries.
Clause 23(1)(h) of the Draft Data Protection Bill, 2021 includes algorithmic disclosure, the EU’s Digital Services Act, and the Santa Clara Principles on Transparency and Accountability in Content Moderation 2.0. By 2021, data fiduciaries must ensure that the algorithms or methods used to handle personal data are transparent. This information allows the data subject to understand the decision and prevents the controller from making discriminatory or illegal decisions.
The vague language of this sentence, along with its vast reach, raises concerns about its abuse. The extent of such disclosure is not specified; much of Clause 23 is left to future legislation. The public’s access to these algorithms may enable undesirable actors to exploit the platform and overcome the algorithms. More than disclosures, the precise rules and cutoff points for establishing the ‘fairness’ of such algorithms utilized by data fiduciaries would be preferred. Before requiring algorithmic disclosure, stakeholders must be consulted and industry practices evaluated.
The Bill’s punishments include criminal penalties for re-identification, financial fines, and the ability to launch class-action lawsuits where the same data breach harms numerous persons.
Fines are based on an amount or a percentage of annual income. However, criminal liability laws, notably jail penalties, continue to hinder many start-ups and small businesses from innovating. The Bill’s criminal penalties include three years in prison for negligent data processing. To maintain proportionality and reward innovators, criminal liability must be eliminated.
While the JPC Report and the 2021 Bill make headway toward resolving various problems that face people in today’s digital environment, they have also drawn criticism. Critics of the 2021 Bill claim that the bill, in its current form, is prone to be misapplied in ways that might jeopardize people’s basic rights. In the digital era, privacy and data protection take precedence and must be protected at a comparable level. The way in which the 2021 Bill’s powers are used will decide whether they are required for state functioning or whether they leave digital data rights unprotected and diminish the code’s aim.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: